[cabfpub] Fwd: [CABFORUM] Questions on the network & certificate system security requirements

Adam Langley agl at google.com
Fri Aug 21 17:13:11 UTC 2015


On Fri, Aug 21, 2015 at 6:24 AM, Ben Wilson <ben.wilson at digicert.com> wrote:
> That being said, CDNs still need to meet security
> standards because they provide status information to end users.  One might
> expect auditors to ask CAs to provide a copy of the CDNs’ SOC 2 / SSAE 16
> reports, and that CAs should be requesting copies of those from CDNs on an
> annual basis.

On that basis, aren't all servers that perform OCSP stapling
"provid[ing] status information to end users" and thus subject to the
same requirements?


Cheers

AGL



More information about the Public mailing list